On Tue, Mar 06, 2007 at 09:37:46AM +0000, Mark McLoughlin wrote: > On Fri, 2007-03-02 at 17:15 +0000, Daniel P. Berrange wrote: > > On Mon, Feb 26, 2007 at 04:09:58PM +0000, Mark McLoughlin wrote: > > > So, we want to install a default network which guests can connect to. > > > This can be seen as e.g. a replacement for xenbr0 as the default bridge > > > for xen guests. > > > > > 2) IP address choice - I've randomly chosen 192.168.122.1/24 as the > > > IP address for the network, and this could happen to clash with > > > an existing network. > > > > Oh, the default network needs to provide IPv6 support out of the box > > too - whatever that entails ? > > Right, whatever that entails :-) > > So, we had two primary motivations for creating virtual networks: > > 1) Offline support - i.e. support inter-domain communication even > when offline > > 2) Network switching - e.g. switching your laptop between different > wireless networks 3) Isolated networks - ie not letting (some subset of) your VMs be exposed to scary wildwest of the internet :-) The latter isn't really relevant to the 'default network' use case though, but is still a use case we need to think of for interesting admin defined network topologies. > However, with IPv6, the combination of link-local addresses, address > auto-configuration and network renumbering should largely eliminate > these problems. > > The conclusion then is that you mostly do want bridging with IPv6 - > i.e. you want to bridge all guests onto your physical network whereby > they will auto-configure using router advertisements on the physical > link. I must admit to not understaning IPv6 all that much. Do link-local addreses let the guest communicate with outside world, or is only enablling the VM-to-VM and VM-to-Host communications ? > One could imagine us allowing IPv6 virtual networks, where Dom0 acts as > a proper IPv6 router advertising a delegated prefix to guest domains, > but I'm not sure why that would be useful to people. To let you isolate VMs from the wider world. Not relevant for a 'default network' use case though. > The question, though, is how to make IPv6 available to guests which are > connected to a virtual network out of a need for e.g. offline support. > You still want NAT etc. for IPv4, but what to do about IPv6? > > The analogy, I think, is what would happen if your DSL provider > statically allocated an IPv6 prefix to you while still also dynamically > allocating an IPv4 address to you. You want to NAT IPv4 traffic using > the IPv4 address, but you want your IPv6 traffic to be bridged to the > IPv6 over PPP link in order to e.g. get router advertisements from the > ISP end. I don;t know of any DSL providers or DSL routers which do IPv6, but I'd expect that all my machines on my LAN magically get an IPv6 address and that they can access the outside world. I'd still expect incoming traffic to be restricted by the DSL router firewalling as per IPv4 incoming. > That leads to the rather ugly conclusion that we should bridge IPv6 > traffic from the virtual network to the physical interface, while still > forwarding IPv4 traffic using NAT. Yeah, that seems to be the way it'd work. > In order to do that, we're going to need a) "shared physical interface" > configuration i.e. a per-interface flag that determines whether other > interfaces are allowed to bridge to it, b) an ipv6-only loopback > interface for connecting the virtual network's bridge to the shared > physical interface's bridge and c) a way for libvirtd to automatically > switch the the virtual network's bridge to the currently active physical > interface. > > That's all pretty far out stuff. In the mean time, I think all we can > do is add an "ipv6 enabled" flag which would just ensure that the > virtual networks interface in Dom0 has a link-local address. What does the link-local address let a VM do ? VM-Host and VM-VM comms, but not VM-Internet right ? Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|